Worldcoin says it has suspended services in Spain after filing a legal challenge against a temporary ban

By | March 9, 2024

A German subsidiary involved in Sam Altman’s controversial crypto blockchain digital identity business, Worldcoin, is said to have filed a legal challenge on Friday against a suspension order from Spain’s data protection authority. It also told us that it has stopped services in the market.

Earlier this week it emerged that the Spanish authority, the AEPD, had ordered Worldcoin to temporarily stop scanning people’s eyeballs or further processing data already collected from people on the market.

As we reported on Wednesday, the AEPD announced an Article 66 ’emergency procedure’ against Worldcoin under the European Union’s General Data Protection Regulation (GDPR), saying it acted after receiving a number of complaints. Issues of concern it raises include the level of information Worldcoin provides about the processing; collecting data from minors; and how withdrawal of consent is not permitted. It also highlighted the sensitive nature of the biometric data involved, which it said poses “major risks to people’s rights.”

While Worldcoin’s operating company, Tools for Humanity, is considered the “largest established” in Germany, allowing it to benefit from streamlined regulatory oversight through the GDPR’s one-stop-shop mechanism – with the Bavarian Data Protection Authority (BayLDA) acts as the lead authority for monitoring and investigating complaints – the regulation contains powers that allow any other DPA to issue temporary orders, lasting up to three months, if it considers there is an “urgent need” to act to protect the rights of local people.

Such orders apply only to the authority’s own market, and not across the EU. The AEPD’s temporary ban on Worldcoin therefore only applies in Spain.

Despite the GDPR providing for urgent interventions by non-lead data protection authorities, Worldcoin challenges the AEPD order.

The development was first reported in the German press. A spokeswoman for Worldcoin, Rebecca Hahn, emailed a link to the report published by Schwäbisch and said she wanted to bring it to TechCrunch’s attention. She also sent a statement (below), attributed to Worldcoin, in which Tools for Humanity claims that its eyeball scanning activities are “fully compliant” with all EU laws regarding biometrics, data transfer, data processing and data protection. The statement also accuses the AEPD of circumventing “accepted EU processes and rules” – leaving it with “few options” other than filing charges, it says.

Here is Worldcoin’s full statement:

Worldcoin fully complies with all laws and regulations regarding the collection and data transfer of biometric data, including the European General Data Protection Regulation (“GDPR”). As such, we have been in a consistent and ongoing dialogue with our main data protection authority in the EU, BayLDA, for months. We were disappointed that the Spanish regulator bypassed the accepted EU process and rules, leaving us with little choice but to file a lawsuit.

Hahn did not respond to questions asking for more details about the legal arguments Tools for Humanity plans to make against the AEPD order. Nor to confirm whether Worldcoin and its operators in Spain have complied with the local order to stop scanning and processing people’s data from the market.

Update: Worldcoin told us it has “paused” operations in Spain. It also published a blog post confirming that a complaint has been filed against the AEPD order.

The AEPD was contacted for comment on Worldcoin’s challenge but had not responded as of press time.

According to Schwäbisch’s report, Worldcoin was “largely developed” in Erlangen in Bavaria, Germany. It names German computer scientist Alex Blania (pictured above) as co-founder of Tools for Humanity, along with Altman of OpenAI. Blania’s LinkedIn profile states he lives in San Francisco.

At the time of writing, the website Worldcoin.org still lists five ‘pop-up’ locations in Spain (three in Barcelona, ​​one in Madrid and one in Malaga) where people can go to have their eyes scanned by one of the Worldcoin offices. own bulbs. However, on Wednesday, Worldcoin’s site listed 29 locations across the country where people could go to have their biometrics collected in exchange for a few crypto tokens. Which suggests that the company may be in the process of ending scanning operations in the market.

Update: Shortly after wondering why Worldcoin’s website still listed five pop-up locations in Spain today, the remaining five listings disappeared after the website updated to remove “Spain” from the list of countries where eyeball scanning is available. Below is an image showing a StreetView of the address of one of the pop-ups that, until a few hours ago, was still being advertised for people to book to attend an eyeball scan on Worldcoin’s website.

Worldcoin eyes scanning popup, Barcelona

Worldcoin eyes scanning popup, Barcelona

Google StreetView shows the address of one of the Worldcoin eyeball-scanning ‘pop-ups’ reported in Barcelona earlier today (Screen grab: Natasha Lomas/TechCrunch)

One of the controversies surrounding the company is that it obtains sensitive biometric data from people in exchange for some form of payment. Worldcoin claims that users consent to their data being processed for the purpose. But in the EU, the GDPR requires consent to be freely given – and a financial incentive creates an obvious incentive that may mean people are unable to freely consent as the law understands it.

Other GDPR concerns about Worldcoin include the transparency and fairness of the processing; issues relating to the rights of data subjects, such as the right to have personal data deleted; risks to minors; and questions about data transfer and security.

The BayLDA investigation, which started last year, into whether Worldcoin complies with the GDPR is still ongoing. But yesterday the authority told us it expects to send a draft decision outlining its findings to the other European data protection authorities for review “very soon.”

Under the GDPR, other authorities concerned about cross-border processing can object to a draft decision if they disagree with the lead authority’s findings. If that happens, disputes over decisions will be resolved through majority voting or, if data protection authorities remain divided, the European Data Protection Council will have a casting vote. This means that while the regulation allows for the supervision of entities like Worldcoin to be led by a single authority, it is designed to ensure that other relevant authorities remain involved in decisions that affect users in their own markets.

In Catalonia, the autonomous community in Spain where Worldcoin currently lists the most pop-ups (three) for eyeball scans, local press recently reported that the regional government had responded to concerns about the company’s biometric scanning activities by publishing an article offering advice and warnings from the Catalan Data Protection Authority.

The article warns about the “particularly sensitive personal data” is collected via the iris scans; the risks of harm from misuse of such data; and raises specific concerns about data being collected from children without the necessary consent of a parent or guardian.

The article also notes that “several” EU authorities are currently investigating whether Worldcoin complies with GDPR.

Leave a Reply

Your email address will not be published. Required fields are marked *